Latest Email Breaches Compromised PHI of Nearly 300,000Incidents Highlight Ongoing Email Security Challenges
Several major email breaches reported by healthcare entities in recent days and weeks have affected the health data of nearly 300,000 individuals. Experts say the incidents highlight the ongoing challenges many organization face involving phishing attacks and similar email compromises.
Among healthcare organizations reporting to the U.S. Department of Health and Human Services significant email security incidents over the last month are:
- Lake Mary, Florida-based Central Florida Inpatient Medicine reporting on June 7 a breach affecting nearly 198,000 individuals;
- Everett, Washington-based Kaiser Foundation Health Plan of Washington state, which offers healthcare services as Kaiser Permanente, reporting on June 3 an incident affecting nearly 69,600 individuals;
- Alameda, California-based Alameda Health System reporting on May 20 a breach affecting 90,000 individuals.
Email systems - along with web applications - are the most common vectors for data breaches, shows data recently compiled for Verizon's annual data breach report (see: Analysis: Verizon's Latest Data Breach Investigation Report).
That may well be an unavoidable fact of life, since the main ways in which a business is exposed to the internet are also the main ways it's exposed to attacks, the report says.
A 2022 state of email security survey of 1,400 IT and security professionals by security vendor Mimecast found that phishing was the biggest culprit in breaches overall in 2021, with 36% of data breaches due, at least in part, to employee credentials stolen through a phishing attack.
Also, 96% of the Mimecast survey respondents said that their organizations had faced a form of phishing attack in the past year.
In a breach notification statement, Central Florida Inpatient Medicine says its incident involved access to an employee email account by an unauthorized party.
The organization does not indicate when it discovered the incident but says it determined on May 5 that the affected email account contained identifiable personal information and protected health information. An investigation that included "time consuming manual document review" concluded that the email account had been accessed between Aug. 21 and Sept. 17, 2021.
Affected information includes patient names, dates of birth and medical information, including diagnosis and/or clinical treatment information, physician and/or hospital name, dates of service, and health insurance information.
In "a limited number" of cases, Social Security numbers, driver's license numbers, financial account information, and usernames and passwords were also affected.
"CFIM has no evidence to suggest that any information has been misused," the medical center’s statement says.
In the wake of the incident, CFIM says it has taken steps to minimize the risk of a similar future incident.
That includes implementing additional technical safeguards on its email system, using multifactor authentication and providing additional training to employees.
CFIM did not immediately respond to Information Security Media Group's request for comment.
Kaiser Permanente Breach
In a statement about its breach, Kaiser Permanente says that on April 5, the entity discovered an unauthorized party who had gained access to an employee's email.
"We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident," Kaiser Permanente says.
Information potentially exposed in the email incident includes patient name, medical record number, dates of service, and laboratory test result information. "Sensitive information such as Social Security number and credit card numbers were not included in the information," Kaiser Permanente says.
"We do not have any evidence of identity theft or misuse of protected health information as a result of this incident," the entity's statement says.
Besides terminating the unauthorized party’s access to the affected employee's email, resetting the worker's email password and providing the individual additional training, Kaiser Permanente says it is also "exploring other steps" to prevent similar future incidents.
Kaiser Permanente did not immediately respond to ISMG's request for additional details.
Alameda Health System Breach
In a statement provided to ISMG, AHS says it recently became aware of suspicious email activity associated with an AHS email account.
"Our security team immediately took action to secure the account, launched an investigation, and engaged a leading forensic security firm for assistance," the statement says.
The investigation determined that persons outside of AHS were able to access the email accounts of several AHS employees remotely. "At this time, we are not aware of any information having been taken from the compromised accounts," the statement says.
A spokeswoman for the Northern California health system tells ISMG it plans to post a public notice with additional information about the breach on its website within the next few days.
AHS' recent breach appears to be the second major email incident reported by the entity within the last two years. In September 2020, Alameda reported to HHS OCR an email breach affecting nearly 2,700 individuals.
Recent Email Breach Trends
As of Wednesday, the HHS Office for Civil Rights' HIPAA Breach Reporting Tool website shows 79 major health data breaches involving email affecting a total of nearly 1.8 million individuals so far in 2022.
Nearly all of those breaches were reported as hacking/IT incidents. Six of the incidents were reported as "unauthorized access/disclosure" breaches.
Commonly called the "wall of shame," the HHS OCR website lists reported health data breaches affecting 500 or more individuals.
The CFIM breach is listed as the second-largest health data breach involving email in 2022, so far.
The largest email breach so far this year was a hacking/IT incident reported on March 25 by Illinois-based Christie Clinic, affecting nearly 503,000 individuals.
The Alameda Health System and Kaiser incidents are respectively the fourth- and sixth-largest email breaches posted on the HHS OCR website so far this year.
Healthcare entities, like organizations in other sectors, continue to fall victim to breaches involving email compromises, phishing and similar incidents for a variety of reasons.
"Not all users interact with data or systems in the same manner, especially in healthcare, so organizations can improve their awareness and training by focusing on the context specific to the audience," says Dustin Hutchison, CISO at security firm Pondurance.
Staying aware of emerging threats and being involved in information-sharing groups can help organizations craft meaningful awareness and training on a more frequent basis, he suggests.
"Another important point for phishing training is to ensure users are trained prior to testing and failing the test is an opportunity for additional training and not punitive," he says.
The key to helping reduce email hacking incidents is to enforce multifactor authentication and ensure a method of monitoring with response actions, Hutchison adds.
"Multifactor authentication is the first step to reduce inappropriate access, followed by monitoring and response for not only email, but all systems," he says.
Organizations should also focus on limiting access to systems with the minimum necessary level of access and have the ability to quickly sever user access or isolate systems in the event of a breach, according to Hutchison.
"We know that threat actors predominantly leverage social engineering tactics targeting the healthcare segment, particularly at times that a healthcare facility may not be fully staffed with IT and SecOps personnel: nights, weekends, holidays," says Anthony Martinez, vice president of consulting services at privacy and security consultancy Clearwater.
Martinez says threat actors are constantly performing open-source intelligence, looking for the shortest open path in.
"Healthcare organizations need to ensure their digital footprint is intentional and aligned to their respective hardening practices," he says.
"Leverage a framework such as MITRE ATT&CK to conduct threat modeling. While not all payloads will be noisy enough for detection, understanding how adversary TTPs look and feel in your environment will support your defense strategy," Martinez says.